File: community-virus.rules

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (21 lines) | stat: -rw-r--r-- 3,742 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# These rules are licensed under the GNU General Public License.
# Please see the file LICENSE in this directory for more details.
# $Id: community-virus.rules,v 1.15 2006/10/19 20:20:29 akirk Exp $

alert tcp $EXTERNAL_NET any -> $HOME_NET 5554 (msg:"COMMUNITY VIRUS Dabber PORT overflow attempt port 5554"; flow:to_server,established,no_stream; content:"PORT"; nocase; isdataat:100,relative; pcre:"/^PORT\s[^\n]{100}/smi"; reference:MCAFEE,125300; classtype:attempted-admin; sid:100000110; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1023 (msg:"COMMUNITY VIRUS Dabber PORT overflow attempt port 1023"; flow:to_server,established,no_stream; content:"PORT"; nocase; isdataat:100,relative; pcre:"/^PORT\s[^\n]{100}/smi"; reference:MCAFEE,125300; classtype:attempted-admin; sid:100000111; rev:1;)
alert tcp $HOME_NET any -> 207.172.16.155 80 (msg:"COMMUNITY VIRUS Possible BlackWorm or Nymex infected host"; flow:to_server,established; uricontent:"/cgi-bin/Count.cgi?df=765247"; reference:url,www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm; reference:url,cme.mitre.org/data/list.html#24; reference:url,isc.sans.org/blackworm; classtype:trojan-activity; sid:100000226; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8 (msg:"COMMUNITY VIRUS Nugache connect"; flow:to_server,established; content:"|00 02|"; flowbits:set,nugache.connection; flowbits:noalert; classtype:trojan-activity; sid:100000282; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8 (msg:"COMMUNITY VIRUS Nugache data"; flow:to_server,established; flowbits:isset,nugache.connection; dsize:64; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; classtype:trojan-activity; sid:100000283; rev:1;)

# DNS Rules submitted by urleet@gmail.com
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS Ginwui.B command server dns query attempt - scfzf.xicp.net"; content:"|01 00|"; offset:2; depth:2; content:"|05|scfzf|04|xicp|03|net";threshold: type limit, track by_src, count 1, seconds 360; reference:url,vil.nai.com/vil/content/v_139545.htm; classtype:trojan-activity; sid:100000310; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS Ginwui.B command server dns query attempt - localhosts.3322.org"; content:"|01 00|"; offset:2; depth:2; content:"|0A|localhosts|04|3322|03|org";threshold: type limit, track by_src, count 1, seconds 360; reference:url,vil.nai.com/vil/content/v_139545.htm; classtype:trojan-activity; sid:100000311; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY VIRUS Ginwui.B POST attempt"; flow:to_server,established; content:"POST|20 2F|"; nocase; depth:6; content:"Host|3a|"; nocase; content:"scfzf.xicp.net"; nocase; pcre:"/Host\x3A[^\n\r]+scfzf.xicp.net/smi"; content:"Content-Length|3a 20|0"; nocase; content:"Connection|3a| Keep-Alive"; nocase; threshold: type limit, track by_src, count 1, seconds 360; reference:url,vil.nai.com/vil/content/v_139545.htm; classtype:trojan-activity; sid:100000312; rev:3;)


alert udp !$DNS_SERVERS any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS OutBound Dremn Trojan Beacon"; content:"|00 00 01|"; offset:3; depth:3; content:"aaaaaaaaaaaaaaaaaaaaa"; within:50; pcre:"/((X|Y)m(A|B)(i)?...a{21})/"; reference:url,symantec.com/avcenter/venc/data/trojan.dremn.html; classtype:trojan-activity; sid:100000684; rev:1;)
alert udp $EXTERNAL_NET 53 -> !$DNS_SERVERS any (msg: "COMMUNITY VIRUS Answering Dremn Trojan Server"; content:"|80 00 01|"; offset:3; depth:3; content:"aa"; within:50; pcre:"/((X|Y)m(A|B)(i)?...aa)/"; reference:url,symantec.com/avcenter/venc/data/ trojan.dremn.html; classtype:trojan-activity; sid:100000685; rev:1;)